What's missing from cloud security
As cloud catches on, administrators need incident response plans and a trained workforce, RSA speaker says
- By William Jackson
- Feb 15, 2011
SAN FRANCISCO — Cloud computing is moving from early adoption into a more mature, operational phase, but IT administrators still face challenges in ensuring security and creating a professional workforce to administer it, said Jim Reavis, executive director of the Cloud Security Alliance.
“We’re not spending as much time on awareness,” Reavis said. “We’re spending more time to help organizations operationalize their cloud strategy.”
CSA, an industry organization promoting best practices for security assurance in cloud computing, held a half-day summit Monday in conjunction with this week’s RSA Security Conference. The annual RSA conference for the first time this year includes a separate track devoted to cloud security, which Reavis said is an indication that the technology is maturing.
NIST guide tackles security challenges of public cloud computing
4 reasons the cloud is safer than you thought
“It’s a reflection of the fact that people are doing real things in cloud computing,” he said.
Cloud computing moves resources into a shared environment, available on demand rather than depending on dedicated in-house systems. The potential for flexibility, cost savings and increased efficiency has made it a popular concept, and the Obama administration has identified it as a major part of the future of government computing.
But as with any new technology, it comes with the risk of new security threats that CSA is trying to stay ahead of.
“We have learned from previous technical innovations that we cannot ignore security,” Reavis said. “We are being more proactive. We are dealing with such accelerated innovation in the cloud that there will continue to be a lot of risk if we don’t maintain eternal vigilance.”
One of the alliance’s current efforts is an incident response research program with cloud providers and security experts to understand the processes needed to respond to security incidents.
“We know that how we respond is impacted by the cloud,” Reavis said. An attack on one organization hosted in the cloud could affect multiple service providers, who should be able to share information, he added. What to share and how to do it effectively has not been worked out yet. “That’s the problem we are trying to get ahead of.”
The alliance also is working to professionalize the cloud workforce and has established a user certification program for IT professionals working in the cloud. It is a Web-based testing program based on the Security Guidance for Critical Areas of Focus in Cloud Computing, a catalog of best practices first released by CSA in 2009. Most of the material covered in the certification is unique to cloud computing and not covered under other security certification programs, Reavis said.
Although it was introduced in September, CSA has done little outreach to promote the program so far, Reavis said. Still, “we’re seeing pretty aggressive adoption,” although the number of people certified has not been released. He said the pass rate is about 55 percent, which is “right in line with what you want for meaningful certification.”
The current program is designed to deliver a baseline awareness of cloud security issues, and the alliance hopes to expand it to a more technical certification next year as training opportunities grow. Reavis said CSA plans to add online and in-person training programs this year.
William Jackson is freelance writer and the author of the CyberEye blog.